{ "id": "d1707640-800c-4488-9827-a90332a5f66b", "created_at": "2026-04-06T00:15:22.364564Z", "updated_at": "2026-04-10T13:11:41.647034Z", "deleted_at": null, "sha1_hash": "43dddc27bdab880148f831e6448a0f3ac1d59306", "title": "Unveiling Swan Vector APT Targeting Taiwan and Japan with varied DLL Implants", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2658162, "plain_text": "Unveiling Swan Vector APT Targeting Taiwan and Japan with varied\r\nDLL Implants\r\nBy Subhajeet Singha\r\nPublished: 2025-05-12 · Archived: 2026-04-05 16:36:07 UTC\r\nContent\r\nIntroduction\r\nInitial Findings.\r\nLooking into the decoy.\r\nInfection Chain.\r\nTechnical Analysis.\r\nStage 1 – Malicious LNK Script.\r\nStage 2 – Malicious Pterois Implant.\r\nStage 3 – Malicious Isurus Implant.\r\nStage 4 – Malicious Cobalt Strike Shellcode.\r\nInfrastructure and Hunting.\r\nAttribution\r\nConclusion\r\nSeqrite Protection.\r\nIOCs\r\nMITRE ATT\u0026CK.\r\nIntroduction\r\nSeqrite Labs APT-Team has recently uncovered a campaign which we have termed as Swan Vector, that has been targeting\r\nthe nations across the East China sea such as Taiwan and Japan. The campaign is aimed at educational institutes and\r\nmechanical engineering industry with lures aiming to deliver fake resume of candidates which acts as a decoy.\r\nThe entire malware ecosystem involved in this campaign comprises a total of four stages, the first being one being a\r\nmalicious LNK, the second stage involves the shortcut file executing DLL implant Pterois via a very well-known\r\nLOLBin. It uses stealthy methods to execute and download the third stage containing multiple files including legitimate\r\nWindows executable that is further used to execute another implant Isurus via DLL-Sideloading. This further executes the\r\nfourth stage that is the malicious Cobalt Strike shellcode downloaded by Pterois.\r\nIn this blog, we’ll explore the sophistication and cover every minutia technical detail of the campaign we have encountered\r\nduring our analysis. We will examine the various stages of this campaign, starting with the analysis of shortcut (.LNK) file\r\nto multiple DLL implants ending with analyzing the shellcode with a final overview.\r\nInitial Findings\r\nRecently in April, our team found a malicious ZIP file named as 歐買尬金流問題資料_20250413 (6).rar which can be\r\ntranslated to Oh My God Payment Flow Problem Data – 2025/04/13 (6) , which has been used as preliminary source of\r\ninfection, containing various files such as one of them being an LNK and other a file with .PNG extension.\r\nThe ZIP contains a malicious LNK file named, 詳細記載提領延遲問題及相關交易紀錄.pdf.lnk. which translates to,\r\n“Shortcut to PDF: Detailed Documentation of Withdrawal Delay Issues and Related Transaction Records.pdf.lnk”, which is\r\nresponsible for running the DLL payload masqueraded as a PNG file known as Chen_YiChun.png. This DLL is then\r\nexecuted via a very well-known LOLBin that is RunDLL32.exe which further downloads other set of implants and a PDF\r\nfile, which is a decoy.\r\nLooking into the decoy\r\nAs, the first DLL implant aka Pterois was initially executed via the LOLBin, we saw a decoy file named rirekisho2025\r\nwhich basically, stands for a nearly Japanese translation for Curriculum Vitae (CV 2025) was downloaded and stored inside\r\nthe Temp directory along-side other implants and binaries.\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 1 of 20\n\nIn the first page, there is a Japanese resume/employment history form “履歴書・職歴経歴書” dated with the Reiwa era\r\nformat (令和5年4月). The form has a basic header section with fields for personal information including name (氏名), date,\r\ngender selection (男/女), birth date, address fields, email address (E-Mail), and contact numbers. There’s also a photo\r\nplaceholder box in the upper right corner. The decoy appears to be mostly blank with rows for entering education and work\r\nhistory details. Notable fields include entries for different years (月), degree/qualification levels, and employment dates. At\r\nthe bottom, there are sections for licenses/certifications and additional notes.\r\nIn the second page, there are two identical sections labeled “職歴 1” and “職歴 2” for employment history entries. Each\r\nsection contains fields for company name, position, employment dates, and a large notes section. The fields are arranged in a\r\nsimilar layout with spaces for company/organization name (会社・団体名), position title, dates of employment, and work-related details. There’s also a section with red text indicating additional about documents or materials (調査、調査料、フ\r\nァイル等).\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 2 of 20\n\nIn the third and last page, there is one more employment history section “職歴 3” with the same structure as the previous\r\npage – company name, position, employment dates, and notes. Below this, there are five additional employment history\r\nsections with repeated fields for company name, position, and employment dates, though these appear more condensed than\r\nthe earlier sections. Each section follows the same pattern of requesting employment-related information in a structured\r\nformat. Next, we will look into the infection chain and technical analysis.\r\nInfection Chain.\r\nTechnical Analysis.\r\nWe will break down the technical capabilities of this campaign into four different parts.\r\nStage 1 – Malicious LNK Script.\r\nThe ZIP contains a malicious LNK file, known as 詳細記載提領延遲問題及相關交易紀錄.pdf.lnk which translates to\r\nDetailed Record of Withdrawal Delay Issues and Related Transaction Records. Another name is also seen with the same\r\nLNK as 針對提領系統與客服流程的改進建議.pdf.lnk that translates to Suggestions for Improving the Withdrawal System\r\nand Customer Service Process. Creation time of LNK is 2025-03-04.\r\nUpon analyzing the contents of this malicious LNK file, we found that its sole purpose is to spawn an instance of the\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 3 of 20\n\nLOLBin rundll32.exe, which is then used to execute a malicious DLL implant named Pterois. The implant’s export\r\nfunction Trpo with an interesting argument 1LwalLoUdSinfGqYUx8vBCJ3Kqq_LCxIg, which we will look into the later\r\npart of this technical analysis, on how this argument is being leveraged by the implant.\r\nStage 2 – Malicious Pterois Implant.\r\nInitially, upon examining the malicious RAR archive, along with the malicious LNK file, we found another file with .PNG\r\nextension known as Chen_YiChun.png .\r\nOn doing some initial analysis, we figured out that the file is basically a DLL implant, and we have called it as Pterois. Now,\r\nlet us examine the technicalities of this implant.\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 4 of 20\n\nWhile we did analyze the malicious LNK file, we did see that rundll32.exe is used to execute this DLL file’s export function\r\nTrpo.\r\nLooking inside the implant’s functionalities, it has two primary features, the first one is to perform API Hashing, and the\r\nlatter is used to download the next stage of malware.\r\nThe first function is responsible for resolving all APIs from the DLLs like NTDLL, UCRTBase, Kernel32 and other\r\nnecessary libraries required, and the APIs required for desired functions.\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 5 of 20\n\nThis is done by initially accessing the Process Environment Block (PEB) to retrieve the list of loaded modules. The code\r\nthen traverses this list using the InMemoryOrderModuleList, which contains linked LDR_DATA_TABLE_ENTRY\r\nstructures — each representing a loaded DLL. Within each LDR_DATA_TABLE_ENTRY, the BaseDllName field (a\r\nUNICODE_STRING) holds just the DLL’s filename (e.g., ntdll.dll), and the DllBase field contains its base address in\r\nmemory.\r\nDuring traversal, the function converts the BaseDllName to an ANSI string, normalizes it by converting to uppercase\r\nand computes a case-insensitive SDBM hash of the resulting string. This computed hash is compared against a target hash\r\nprovided to the function. If a match is found, the corresponding DLL’s base address is obtained from the DllBase field and\r\nreturned.\r\nNow, once the DLL’s base address is returned, the code uses a similar case-insensitive SDBM hashing algorithm to resolve\r\nAPI function addresses within NTDLL.DLL. It does this by parsing the DLL’s Export Table, computing the SDBM hash of\r\neach exported function name, and comparing it to a target hash to find the matching function address.\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 6 of 20\n\nHere is a simple python script, which evaluates and performs hashing. So, in the first function, a total of four functions have\r\nbeen resolved.\r\nSimilarly, the APIs for the other two dynamicalliy linked libraries ucrtbase.dll \u0026 Kernel32.dll , are being resolved in the\r\nsame manner.\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 7 of 20\n\nIn the next set of functions, where it is trying to resolve the APIs from DLLs like Iphlapi.dll , shell32.dll and WinHTTP.dll,\r\nit initially resolves the DLL’s base address just like the previous functions. Once it is returned, then it uses a simple yet\r\npseudo-anti-analysis technique that is using Timer Objects to load these above DLLs.\r\nInitially it creates a timer-object using RtlCreateTimerQueue, once the Timer Object is created, then another API\r\nRtlCreateTimer is used to run a callback function, which is LoadLibraryW API in this case, further used to load the DLL.\r\nThen, the GetModuleHandleW is used to get a handle to the IPHLAPI.DLL. So, once it succeeds, the RtlDeleteTimerQueue\r\nAPI is used to delete and free the Timer Object. Then, finally an API GetAdaptersInfo is resolved via a hash.\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 8 of 20\n\nSimilarly, other DLLs are also loaded in the same manner. Next, we will look into the later part of the implant that is the set\r\nof functions responsible for downloading the next stager.\r\nThe function starts with initially getting the entire Command Line parameter comprising of the LOLBin and the argument,\r\nthat later gets truncated to 1LwalLoUdSinfGqYUx8vBCJ3Kqq_LCxIg which basically is a hardcoded file-ID.\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 9 of 20\n\nThen it uses a technique to abuse Google Drive as a command-and-control server by first establishing authentication with\r\nlegitimate OAuth credentials. After obtaining a valid access token through a properly formatted OAuth exchange, it uses\r\nthe Google Drive API to retrieve files from specific hardcoded file IDs, including malicious executables, DLLs, and\r\nconfiguration files which it downloads to predetermined paths in C:\\Windows\\Temp.\r\nThen it sets the appropriate Content-Type header to “application/x-www-form-urlencoded” to ensure the request is\r\nprocessed correctly by Google’s authentication servers. Following this exchange, it performs precise JSON parsing\r\ncapabilities, where it extracts the “access_token” field from Google’s response using cJSON_GetObjectItem. Looking into\r\nthe memory dump clearly displays the obtained OAuth token beginning with “ya29.a0AZYk”, confirming a successful\r\nauthentication process. Once this token is parsed and extracted then it is carefully stored and subsequently used to authorize\r\nAPI calls to Google Drive, allowing the implant to download additional payloads while appearing as legitimate traffic from\r\nGoogle Drive. The parsed JSON extracted from the memory looks something like this.\r\nNow, once the files are downloaded, another part of this implant uses CreateThread to spawn these downloaded decoy and\r\nother files to execute.\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 10 of 20\n\nFinally, these files are downloaded, and the decoy is spawned on the screen and the task of Pterois implant, is done.\r\nWell, the last part of this implant is, once the entire task is complete, it goes ahead and performs Self-Delete to cover its\r\ntracks and reduce the chance of detection.\r\nThe self-deletion routine uses a delayed execution technique by spawning a cmd.exe process that pings localhost before\r\ndeleting the file, ensuring the deletion occurs after the current process has completed and released its file handles.\r\nNext, we will look into the other DLL implant, which has been downloaded by this malicious loader.\r\nStage 3 – Malicious Isurus Implant.\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 11 of 20\n\nThe previous implant downloads a total of four samples. Out of which one of them is a legitimate Windows Signed binary\r\nknown as PrintDialog.exe.\r\nNow, the other file PrintDialog.dll which is the other implant with compilation timestamp 2025-04-08 03:02:59 UTC, is\r\nresponsible for running the shellcode contents present inside the ra.ini file, abuses a very well-known technique known as\r\nDLL-Sideloading by placing the malicious DLL in the current directory as PrintDialog.exe does not explicitly mention the\r\npath and this Implant which we call as Isurus performs malicious tasks.\r\nLooking, onto the export table, we can see that the malicious implant exports only two functions, one of them being the\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 12 of 20\n\nnormal DllEntryPoint and the other being the malicious DllGetActivationFactory export function.\r\nLooking inside the export function, we can see that this Isurus performs API resolution via hash along with shellcode\r\nextraction and loads and executes the shellcode in memory.\r\nThe implant initially resolves the APIs by performing the PEB-walking technique, traversing the Process Environment\r\nBlock (PEB) to locate the base address of needed DLLs such as ntdll.dll and kernel32.dll. Once the base address of a target\r\nDLL is identified, the implant proceeds to manually parse the PE (Portable Executable) headers of the DLL to locate the\r\nExport Directory Table.\r\nNow, to resolve specific APIs, the implant employs a hashing algorithm – CRC32. Instead of looking up an export by\r\nname, the loader computes a hash of each function name in the export table and compares it to precomputed constants\r\nembedded in the code to finally resolve the hashes.\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 13 of 20\n\nNow, let us look into how this implant extracts and loads the shellcode.\r\nIt initially opens the existing file ra.ini with read permissions using CreateFileW API, then once it gets the handle, another\r\nAPI known as GetFileSize is used to read the size of the file. Once the file size is obtained, it is processed via ReadFile API.\r\nThen, using a hardcoded RC4 key wquefbqw the shellcode is then decrypted and returned.\r\n After extracting the shellcode, it\r\nis executed directly in memory using a syscall-based execution technique. This approach involves loading the appropriate\r\nsyscall numbers into the EAX register and invoking low-level system calls to allocate memory, write the shellcode, change\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 14 of 20\n\nmemory protections, and ultimately execute the shellcode—all without relying on higher-level Windows API functions. The\r\nPDB path of this implant also depicts the functionality:\r\nC:\\Users\\test\\source\\repos\\sysldr\\x64\\Release\\weqfdqwefq.pdb\r\nIn the next part, we will look into the malicious shellcode and its workings.\r\nStage 4 – Malicious Cobalt Strike Shellcode.\r\nUpon looking into the file, we figured out that the shellcode is in encrypted format. Next, we decrypted the shellcode using\r\nthe key, using a simple Python script.\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 15 of 20\n\nFurther, on analyzing the shellcode, we found, that it is a Cobalt Strike based beacon. Therefore, here are the extracted\r\nconfigs. Extracted beacon config:\r\nProcess Injection Targets:\r\nwindir\\syswow64\\bootcfg.exe\r\nwindir\\sysnative\\bootcfg.exe\r\nInfrastructural information:\r\nhxxps://52.199.49.4:7284/jquery-3.3.1.min.js\r\nhxxps://52.199.49.4:7284/jquery-3.3.2.min.js\r\nRequest Body :\r\nGET /jquery-3.3.1.min.js HTTP/1.1\r\nHost: 52.199.49.4:7284\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nCookie: __cfduid=dT98nN_EYDF96RONtS1uMjE0IZIWy9GljNoWh6rXhEndZDFhNo_Ha4AmFQKcUn9C4ZUUqLTAI6-6HUu3jA-WcnuttiUnc\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nHTTP Settings GET Hash:\r\n52407f3c97939e9c8735462df5f7457d\r\nHTTP Settings POST Hash:\r\n7c48240b065248a8e23eb02a44bc910a\r\nDue to the extensive documentation and prevalence of Cobalt Strike in offensive security operations, an in-depth analysis is\r\ndeemed unnecessary. Nonetheless, available extracted beacon configuration, confirm that the threat actor leveraged Cobalt\r\nStrike as a component of their intrusion toolkit in this campaign.\r\nInfrastructure and Hunting.\r\nAs, we did encounter while reverse-engineering the implants, we found that the threat actor had been using Google-Drive as\r\na command-and-control (C2) framework, which also leaked a lot of details such as sensitive API-keys and much more. We\r\nhave found the associated details related to the threat actor’s infrastructure such as associated Gmail Address \u0026 list of\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 16 of 20\n\nimplants, which had been scheduled by the threat actor for other campaigns, which have not been used In-The-Wild (ITW).\r\nInformation related to Threat Actor’s Google Drive Account: {  “user”: {    “kind”: “drive#user”,    “displayName”:\r\n“Swsanavector56”,    “photoLink”:\r\n“https://lh3.googleusercontent.com/a/ACg8ocKiv7cWvdPxivqyPdYB70M1QTLrTsWUb-QHii8yNv60kYx8eA=s64”,   \r\n“me”: true,    “permissionId”: “09484302754176848006”,    “emailAddress”: “swsanavector42@gmail.com”  }} List of\r\nfiles found inside the Google Drive\r\nFile Name File ID Type Size SHA-256 Hash\r\nPrintDialog.exe 14gFG2NsJ60CEDsRxE5aXvFN0Fs83YMMG EXE\r\n123,032\r\nbytes\r\n7a942f65e8876aeec0a1372fcd4d53aa1f84d227\r\nPrintDialog.dll 1VMrUQlxvKZZ-fRyQ8m3Ai8ZEhkzE3g5T DLL\r\n108,032\r\nbytes\r\na9b33572237b100edf1d4c7b0a2071d68406e59\r\nra.ini 1JAXiUPz6kvzOlokDMDxDhA4ohidt094b INI\r\n265,734\r\nbytes\r\n0f303988e5905dffc3202ad371c3d1a49bd3ea5e\r\nrirekisho2025.pdf 17hO28MbwD2assMsmA47UJnNbKB2fpM_A PDF\r\n796,062\r\nbytes\r\n8710683d2ec2d04449b821a85b6ccd6b5cb8744\r\nrirekisho2021_01.pdf 1LwalLoUdSinfGqYUx8vBCJ3Kqq_LCxIg PDF\r\n796,062\r\nbytes\r\n8710683d2ec2d04449b821a85b6ccd6b5cb8744\r\nwbemcomn.dll 1aY5oX6EIe4hfGD6QgAAzmCcwxM4DoLke DLL\r\n181,760\r\nbytes\r\nc7b9ae61046eed01651a72afe7a31de088056f1c\r\nsvhost.exe 1P8_PG2DGtLWA3q8F4XPy43GMLznZFtQv EXE\r\n209,920\r\nbytes\r\ne0c6f9abfc11911747a7533f3282e7ff0c10fc397\r\n0g9pglZr74.ini 1UE7gNfUIuTRzgjIv188hRIZG3YNtbvkV INI\r\n265,734\r\nbytes\r\n9fb57a4c6576a98003de6bf441e4306f72c83f78\r\nKpEvjK3KG2.enc 1RxJi1RZMhcF31F1lgQ9TJfXMuvSJkYQl ENC\r\n265,734\r\nbytes\r\ne86feaa258df14e3023c7a74b7733f0b568cc750\r\nLoggingPlatform.dll 1lZgq1ZNkK88eJsl6GlcvpzRuFlBgxEOF DLL\r\n112,640\r\nbytes\r\n9df9bb3c13e4d20a83b0ac453e6a2908b77fc2bf\r\n0g9pglZr74.ini 1ky1fEzC6v70U8-RbHBZG_i3YI79Ir8Og INI\r\n265,734\r\nbytes\r\n9fb57a4c6576a98003de6bf441e4306f72c83f78\r\npython310.dll 1RuMLCJJ5hcFiVXbcg8kZK3giueWiVbTJ DLL\r\n189,952\r\nbytes\r\ne1b2d0396914f84d27ef780dd6fdd8bae653d72\r\nra.ini 13ooFQAYZ27Bx015UQG3qkHR293wlcL90 INI\r\n265,734\r\nbytes\r\n777961d51eb92466ca4243fa32143520d49077a\r\npythonw.exe 19n1ta4hyQguQQmR8C6SAsZuGNQF4-ddU EXE\r\n97,000\r\nbytes\r\n040d121a3179f49cd3f33f4bc998bc8f78b7f560\r\npython.xml\r\n1k4Q18FByEXW98Rr1CXyVVC-Kj8T0NBDW\r\nXML\r\n1,526\r\nbytes\r\nc8ed52278ec00a6fbc9697661db5ffbcbe19c5ab\r\nOneDriveFileLauncher.exe 137tczdqf5R7RMRoOb9fI_YjZuncd_TUn EXE\r\n392,760\r\nbytes\r\n7bf5e1f3e29beccca7f25d7660545161598befff8\r\nwbemcomn.dll 1xUPkhfaWIgYs5HSmxYPC_sZT4QKm_T7i DLL\r\n181,760\r\nbytes\r\nc7b9ae61046eed01651a72afe7a31de088056f1c\r\n0g9pglZr74.ini 1Ylpf9XVnztxeGk-joNw9df3b0Mv8wYU3 INI\r\n265,734\r\nbytes\r\n9fb57a4c6576a98003de6bf441e4306f72c83f78\r\nsvhost.exe 1wo1gZ9acixvy925lM6QAkz6Uaj6cRXxx EXE\r\n209,920\r\nbytes\r\ne0c6f9abfc11911747a7533f3282e7ff0c10fc397\r\nllv 1ZuzB7x0zzgz34eNhHp_TI3auPhHj8Xhc Folder – –\r\nWe also observed this host-address was being used where the Cobalt-Strike was being hosted under ASN 16509 with\r\nlocation of IP being in Japan.\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 17 of 20\n\nAlso, apart from the Google Drive C2, we have also found that the Gmail address has been used to create accounts and\r\nperform activities which have currently been removed under multiple platforms like Google Maps, YouTube and Apple\r\nbased services.\r\nAttribution.\r\nWhile attribution remains a key perspective when analyzing current and future motives of threat actors, we have observed\r\nsimilar modus operandi to this campaign, particularly in terms of DLL sideloading techniques. Previously, the Winnti APT\r\ngroup has exploited PrintDialog.exe using this method. Additionally, when examining the second implant, Isurus, we found\r\nsome similarities with the codebase used by the Lazarus group, which has employed DLL sideloading techniques against\r\nwmiapsrv.exe – a file that was found uploaded to the threat actor’s Google Drive account. Along with which we have found\r\na few similarities between Swan Vector and APT10’s recent targets across Japan \u0026 Taiwan.\r\nWhile these observations alone do not provide concrete attribution, when combined with linguistic analysis, implant\r\nmaturity, and other collected artifacts, we are attributing this threat actor to the East Asian geosphere with medium\r\nconfidence.\r\nConclusion.\r\nUpon analysis and research, we have found that the threat actor is based out of East Asia and have been active since\r\nDecember 2024 targeting multiple hiring-based entities across Taiwan \u0026 Japan. The threat actor relies on custom\r\ndevelopment of implants comprising of downloader, shellcode-loaders \u0026 Cobalt Strike as their key tools with heavily\r\nrelying on multiple evasion techniques like API hashing, Direct-syscalls, function callback, DLL Sideloading and self-deletion to avoid leaving any sort of traces on the target machine.\r\nWe believe that the threat actor will be using the above implants which have been scheduled for upcoming campaigns which\r\nwill be using DLL sideloading against applications like Python, WMI Performance Adapter Service, One Drive\r\nLauncher executable to execute their malicious Cobalt Strike beacon with CV-based decoys.\r\nSeqrite Protection.\r\nPterois.S36007342.\r\nTrojan.49524.GC\r\ntrojan.49518.GC.\r\nIndicators-Of-Compromise (IOCs)\r\nDecoys (PDFs)\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 18 of 20\n\nFilename SHA-256\r\nrirekisho2021_01.pdf 8710683d2ec2d04449b821a85b6ccd6b5cb874414fd4684702f88972a9d4cfdd\r\nrirekisho2025.pdf 8710683d2ec2d04449b821a85b6ccd6b5cb874414fd4684702f88972a9d4cfdd\r\nIP/Domains\r\nMalicious Implants\r\nFilename SHA-256\r\nwbemcomn.dll c7b9ae61046eed01651a72afe7a31de088056f1c1430b368b1acda0b58299e28\r\nLoggingPlatform.dll 9df9bb3c13e4d20a83b0ac453e6a2908b77fc2bf841761b798b903efb2d0f4f7\r\nPrintDialog.dll a9b33572237b100edf1d4c7b0a2071d68406e5931ab3957a962fcce4bfc2cc49\r\npython310.dll e1b2d0396914f84d27ef780dd6fdd8bae653d721eea523f0ade8f45ac9a10faf\r\nChen_YiChun.png de839d6c361c7527eeaa4979b301ac408352b5b7edeb354536bd50225f19cfa5\r\n針對提領系統與客服流程的改進建\r\n議.pdf.lnk\r\n9c83faae850406df7dc991f335c049b0b6a64e12af4bf61d5fb7281ba889ca82\r\nShellcode and other suspicious binaries\r\nFilename SHA-256\r\n0g9pglZr74.ini 9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105d\r\nra.ini 0f303988e5905dffc3202ad371c3d1a49bd3ea5e22da697031751a80e21a13a7\r\npython.xml c8ed52278ec00a6fbc9697661db5ffbcbe19c5ab331b182f7fd0f9f7249b5896\r\nKpEvjK3KG2.enc e86feaa258df14e3023c7a74b7733f0b568cc75092248bec77de723dba52dd12\r\nMITRE ATT\u0026CK.\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name\r\nSub-technique\r\nID\r\nSub-technique Name\r\nInitial Access T1566 Phishing T1566.001 Spearphishing Attachment\r\nExecution T1129 Shared Modules\r\nExecution T1106 Native API\r\nExecution T1204 User Execution T1204.002 Malicious File\r\nPersistence T1574 Hijack Execution Flow T1574.001 DLL Sideloading\r\nPrivilege Escalation T1055 Process Injection T1055.003\r\nThread Execution\r\nHijacking\r\nPrivilege Escalation T1055 Process Injection T1055.004\r\nAsynchronous Procedure\r\nCall\r\nDefense Evasion T1218\r\nSystem Binary Proxy\r\nExecution\r\nT1218.011 Rundll32\r\nDefense Evasion T1027\r\nObfuscated Files or\r\nInformation\r\nT1027.007 Dynamic API Resolution\r\nDefense Evasion T1027\r\nObfuscated Files or\r\nInformation\r\nT1027.012 LNK Icon Smuggling\r\nDefense Evasion T1027\r\nObfuscated Files or\r\nInformation\r\nT1027.013 Encrypted/Encoded File\r\nDefense Evasion T1070 Indicator Removal T1070.004 File Deletion\r\nCommand and\r\nControl\r\nT1102 Web Service\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 19 of 20\n\nSource: https://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nhttps://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/" ], "report_names": [ "swan-vector-apt-targeting-taiwan-japan-dll-implants" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ac9c0263-8848-4cc8-b63a-9f7380b0d197", "created_at": "2025-05-18T02:00:03.051256Z", "updated_at": "2026-04-10T02:00:03.842035Z", "deleted_at": null, "main_name": "Swan Vector", "aliases": [], "source_name": "MISPGALAXY:Swan Vector", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434522, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/43dddc27bdab880148f831e6448a0f3ac1d59306.pdf", "text": "https://archive.orkl.eu/43dddc27bdab880148f831e6448a0f3ac1d59306.txt", "img": "https://archive.orkl.eu/43dddc27bdab880148f831e6448a0f3ac1d59306.jpg" } }